How to lock down the family computer?
January 3, 2004 7:37 PM   Subscribe

My family is computer illiterate, and since I moved out they've been giving the family desktop hell. Every time I come home from a holiday or weekend, ads, spyware and malware have taken it hostage. [more inside]

The homepage is usually reset to a 3rd party spyware search engine/url redirection service, various toolbars are installed and the bookmarks are riddled with gambling and pornography sites. It's a horror to look at the names of all the processes running in the background. There are even executables that pop up advertising banners and things in the taskbar and on the desktop. Usually whenever I find things like this, I run all the anti-virus software, clean out the system using Ad-Aware and put things back together bit by bit.

This is a combination of my parents unwittingly clicking on advertisements, and my brothers installing various versions of KaZaA and clicking on malicious links in AIM profiles.

First things first, I tried to educate everybody about how to use the Internet and what to watch out for. I even stuck a word document in the middle of the desktop with a list of things NOT to do. Well, the education approach was all for naught - you try hammering netiquette into the heads of your nearly-60-year-old parents and two teenage brothers who are only interested in downloaded the latest mp3s.

When this didn't work, I removed KaZaA and hid Internet Explorer, replacing them with KaZaA Lite and Mozilla Firebird (with all the popup blocking and whatnot turned on).

This helped things a little, but it seems my family is better at finding their way to the ads and spyware than the spyware is at finding its way to my family. So, I need some help. How can I like down my family's computer so that they can't mess around with things they shouldn't be, while being abled to access all the services and sites that they use the system for? It's a fairly new Dell with Windows XP.
posted by tomorama to Computers & Internet (23 answers total)
 
* make that "lock-down", not "like down". I previewed and proofread, I swear!
posted by tomorama at 7:39 PM on January 3, 2004


tomorama, if you keep cleaning up their messes they will keep making more. I'd leave it alone until they are a bit more teachable.
posted by konolia at 7:45 PM on January 3, 2004


yup--what konolia said--they know that you'll come and fix everything anyway so whatever they do is fine. A little tough love is in order here--let it get to the point where they can't do anything at all so they learn a lesson.
posted by amberglow at 7:50 PM on January 3, 2004


Hiding IE sounds a little extreme. Disabling ActiveX in IE would be sufficient for stopping a lot of the problems encountered.
posted by bobo123 at 7:51 PM on January 3, 2004


Hiding IE sounds a little extreme. Disabling ActiveX in IE would be sufficient for stopping a lot of the problems encountered.

I'm fine with hiding IE. Mozilla is a better browser anyway.

As for the tough-love solution of not cleaning up their mess, that's not the way to go. They don't even ask me to fix things half of the time, because they have no idea what they're doing. When I come for a week and need to get some work done, but first have to wipe clean the entire computer, it really gets me annoyed. I'm looking for suggestions on how to lock down the computer, make it ad-safe, etc... So that I don't have to put up with this anymore.
posted by tomorama at 7:57 PM on January 3, 2004


It's their computer.

If it's not a problem for them, why do you need to do anything?
posted by Blue Stone at 7:58 PM on January 3, 2004


Not to mention, I can just see one of my brothers downloading some kind of spyware or url-redirection program from Kazaa disguised as perfectly safe software, and then my parents getting their CC# stolen when they buy something off EBay.
posted by tomorama at 7:58 PM on January 3, 2004


Not to sound flip, but please, I didn't ask for a debate on the ethics of wether or not I should fix my parents' computer. I asked for help with fixing my parents' computer.
posted by tomorama at 8:00 PM on January 3, 2004


If they continue to run in Windows, no fix exists.
posted by mischief at 8:07 PM on January 3, 2004


Not being a Windows person I'm only passing on what I've read elsewhere as a solution -- WindowsXP can give different levels of user different permissions, no? Why not make your family subordinate users who aren't permitted to install software? Shouldn't this prevent anything from installing? Or does malware disregard the Windows XP rules?
posted by Dreama at 8:07 PM on January 3, 2004


Can ad-aware or spybot be set to run automatically, periodically? If so, do.
posted by Hildago at 8:09 PM on January 3, 2004


That's true about the different user roles. At the moment, I have myself set as the system administrator and everybody else set as a normal user. They can install programs though - what happens when my dad buys my brother a game for his birthday and I'm 90 miles away?
posted by tomorama at 8:10 PM on January 3, 2004


My husband sets adaware AND spybot to run automatically in the wee hours of the morning. Seems to work.
posted by konolia at 8:17 PM on January 3, 2004


Therein lies the rub: If you do go through the laborious process of locking down the machine, they will inevitably feel that it has been crippled and therefore can't partake of $activity, which will eventually lead to you unlocking the machine out of frustration or annoyance.

The first thing I would do (assuming you care) is explain to your parents and brothers the results of downloading MP3s en masse, including the ongoing legal battles, costing people thousands of dollars to settle or potential tens-of-thousands to fight. I would further remind them that, even if your parents aren't using KaZaA personally, the fact that the Internet service is likely in their name will make them liable for any lawsuits that may arise. In my household, this would be the fastest way to guarantee filesharing was permanently banned from the computer. <snicker>

Ad-aware (and I would assume other) spyware-removal programs can be scheduled to run automatically at a specific time or upon Windows startup. You can have the system automatically backup and clean anything it finds, and can most likely hide the GUI entirely. Some advanced automation may require a paid version, and I'm not sure how well this works at solving a redirected home page. You could always solve that by finding the appropriate registry key, exporting it to a .reg file, setting the desired home page, and having the .reg automatically load every time Windows starts.
posted by Danelope at 8:30 PM on January 3, 2004


Make the system dual-boot: one partition for your family (where they can install all the spyware they want), another separate partition for you. I can't imagine that your partition could ever become infected by anything your family did, right?
posted by gd779 at 8:46 PM on January 3, 2004


I don't think I get enough serious use out of the thing to warrant a dual-boot partition.
posted by tomorama at 8:56 PM on January 3, 2004




Can you create a separate profile/boot for each member of the family (mom, dad, brother 1, brother 2, you) -- it might make them each feel as though they have their own computer, to customize as they wish, plus it would keep your mom and dad safe from the worst of the Kazaa gunk.

We have one PC in my house with three partitions (well, actually with two hard drives and three partitions, but I digress) -- one for me, one for my boyfriend, one for our roommate. Its been a godsend. We can each have our own desktop and use the software we prefer, no one accidently logs into on-line shopping sites under another password and finds out what they're getting for Xmas, and my boyfriend can look at Porn-n-stuff without any worry that something icky will get into my work files.

Plus, you might discover that its one family member more than the others who has 'issues'.
posted by anastasiav at 9:09 PM on January 3, 2004


You could install "deep freeze" and just unlock the "my documents" folder. They couldn't install anything but save stuff to that folder. Each time they reboot the machine is clean.
posted by mecran01 at 7:09 AM on January 4, 2004


Maybe you could do what we did at the office where I used to work in IT. Wipe it clean, get a solid install in place, and Ghost it. We then told users that we weren't going to monitor or micromanage them, but that if they screwed up their system, it would simply be re-imaged.

People eventually got pretty good about backing up their data files, and became much more selective about installing shareware and opening e-mail attachments.
posted by Tubes at 1:06 PM on January 4, 2004


I would do these :
- install SpyBot, and besides setting it to scan at certain times, I would also use the Immunize function and the Bad Download blocker, which should reduce the number of spyware downloaded
- I would ask them to run CWShredder once a week. Just put it on their desktop and ask them to run it. They don't need a degree to use it, they just have to click next. :)
- I would install them a download manager (FlashGet etc.) that can be programmed to immediately scan after download any file downloaded (this, of course, would assume an AntiVirus would be installed)
- I would install them Sygate Personal Firewall, ask them what they use online, and set the firewall to block any other software attempting to connect online (that should block spyware programs from "phoning home").

I hope my tips are helpful. Good luck!
posted by Masi at 1:59 PM on January 4, 2004


There is a cheap way to disable XP's IE. It's ugly, but it does work, and that's probably the primary vector for most of this stuff. Security settings are probably ineffective given the huge number of holes in IE that allow pages to run any damn code they want regardless of settings or privilege level.

Likely there's some fair quantity of crapware tacked on to (or masquerading as) various Kazaa downloads, as well, but your only defense against determined downloaders with no sense of caution is to set up automated scanning as described by some other folks.

It might also be useful to delete Windows Media Player from the box, which can (and will probably continue to) allow for infection via nonexecutable media files. Replace it with something like Media Player Classic and a copy of Winamp, which are somewhat safer.

That said, they have physical access to the box and like most inexperienced users an inescapable desire to seek out and run malicious code and break everything they can get their hands on -- I've faced this problem with having a 12 year old kid borrow a box for a couple of months, and I know how ugly it can get -- and you will have to face the fact that from time to time you are going to need to baseline the system with a fresh install or a Ghost image. No matter what you do, Windows will give them enough rope to hang themselves.
posted by majick at 6:32 PM on January 4, 2004


Masi: those are some good suggestions. I'm going to try them out. For the past day or so, I've had Ad-Aware running at log-in.

majick: I already "disabled" IE by removing it from the desktop, putting a shortcut to mozilla in it's place and naming that shortcut "Internet Explorer". No need to actualy disable IE - when my parents are fooled by the "click here to quintuple your internet connection speed" ads, that also means that I can outsmart them blindfolded, with both hands tied behind my back.

Also, I didn't know about that Windows Media bug, but regardless I've had it replaced with quicktime and winamp for quite some time.
posted by tomorama at 1:14 AM on January 5, 2004


« Older How do I remove squirrels from my eaves?   |   Why aren't Mars landers designed to last longer? Newer »
This thread is closed to new comments.